How to autheticate to my backend using EntraID

Hi,

I have the following authentication problem. I would be greatfull if someone can suggest some solution, or at least some advice, because I have problems understanding the big picture how to implement this and how this should work.

I have developed Forge plugin, that makes some API calls to my backend (that I have also developed). Currently I use api key when I make the API calls to the backend, but since forge plugin runs in browser, this api key is easily visible in developer console and every user can see it. This is not secure at all, someone can use this api key and call my backend API without Forge plugin, and this is what I would like to prevent.

My users login to Jira Cloud by using my company’s SSO based on Microsoft EntraID (former Active Directory).

So, my understanding for a good and secure authentication is that I also need to use EntraID.
My Forge plugin should (somehow) get the current Jira user’s JWT and send it when making API call to my backend. My backend would then verify the JWT with our EntraID and answer the call if it was valid.

If all of above is correct, my question is where do my Forge plugin should get the JWT from? Since it is a plugin, and is used by user who is already logged in into Jira, I assume I should get this from Jira somehow, but how?
Or should the plugin get only user data from Jira (username or something similar) and request the JWT from our EntraID by itself?
That would mean that my plugin should be registered in EntraID as a separate application and not using Jira’s registration?

Any advice would be helpful.

Hi @axldpir,

Thanks for reaching out.

Can you clarify - how are you calling your external API from your Forge app? Are you using the Fetch API or something else?

The most straightforward way to ensure your aren’t exposing your key in the browser developer console would be to call your external API from a resolver, and I’d also recommend using Environment variables to store your API keys.

If you’re not sure about how to implement that, checkout the Build a Dashboard Gadget Tutorial in our Forge Quest docs - this guides you to build an app that calls an external API with fetch using a key for authentication.

I hope this helps. If it does solve your problem please mark this as the solution. If you’re still stuck, please let me know how you’re calling the external API from your app and I’ll do my best to answer.

Cheers!
Mel

Thanks Mel,

that is an excellent proposal, didn’t think about that.
I have two concerns:

  1. My backend application is using LLM in the background and is ‘streaming’ the answer by using SSE (server-side events). Need to try it out to see how this works with resolver.
  2. We have another plugin (with same functionality that is using the same backend) just for Jira DataCenter, developed using Atlassian SDK - this is being developed by my colleague, so I am not familiar with the details of Atlassian SDK. The question is how to solve the same problem there also.

Thank you very much for your support!
Daniel

Hi @axldpir,

For your forge app, you may wish to look at Events - which can be used to invoke your Forge app.

As for DC plugin, the Server and Cloud plugin environments are very different so I would say the solution will be quite different there. Check out the Jira Data Centre Security Overview to learn more about authentication in Server apps.